This is a guest blog post written by Vincent Lynch, Technology and Customer Experience Evangelist at The SSL Store™. In this article, he is going to share his views about “HTTPS Everywhere” and its importance to the future of the web. The SSL Store™ is an industry partner of SpamExperts.
SSL was originally developed by Netscape in the early 90s, but it’s possible you have a very basic understanding of it, despite its status as the best option for in-transit data security for websites. Today, everyone on the web uses SSL on a daily basis. Every major bank, as well as hundreds of thousands of sites including Google, PayPal, Facebook, and Wikipedia use SSL. So…what exactly is it?
The first thing to clarify is that “SSL” is in fact the older name for “TLS”. Both are acronyms for web security protocols that provide in-transit security between a web server and a client device (primarily web browsers). You’re most likely using a version of “TLS” which replaced SSL a few years ago, however, we still use the term “SSL” today, as that’s the name the public is most familiar with.
Traditionally, when you visit a website, you’re connecting to the server hosting that site with the HyperText Transfer Protocol (HTTP). That protocol handles the transfer of data between the server and client required to render a webpage. HTTP is plaintext, meaning it transfers all the data as it is, “in the clear”. For example, if you send a web form to a server, all the info contained within is sent exactly as you wrote it. Usernames, passwords, addresses, and all other information transmitted during the connection can be viewed by anyone on that local network, or by those providing the connection between the two parties (such as an ISP).
The Importance of HTTPS
People are constantly sharing sensitive information across the web – passwords, session cookies, payment details, etc. – and HTTP is not suitable for that. If you want to protect the information being transmitted, you must use HTTPS, which is short for “Secure HTTP”.
HTTPS is available when you use SSL in combination with HTTP. The SSL protocol jumps in before the HTTP connection starts and uses a method of encryption called public key cryptography to secure the connection. It secures the connection in two ways: by encrypting the information, so that only the server is able to read the resulting plaintext, and by providing authentication, which ensures the server you are communicating with is not an imposter.
You know a website is using SSL when you see HTTPS at the beginning of the URL and the “green padlock” and/or the “green address bar” in your browser. All browsers implement this indicator slightly different, but it’s usually to the left or right of the URL in the address bar. Sometimes the lock is grey, not green. All major browsers – including mobile browsers on Android and iPhone – display the padlock.
The Components and Benefits of SSL
SSL has two components: the protocol and certificates. The protocol is supported by your web server OS and by the client’s OS and browser. Every website that wants to use SSL needs to have an SSL Certificate before they can turn on the protocol on their server. These certificates come from Certificate Authorities (CAs), companies that are trusted by device manufacturers and browser developers to handle the proper issuance of individual certificates for the millions of sites on the web. SSL certificates are usually sold in yearly increments – validity periods are available from one to three years – after which they expire and the website owner must obtain a new certificate. Certificate expiration occurs because it allows the CA to perform another check on the website’s identity and owner, which is how SSL provides accurate authentication of the server.
There are numerous real-world situations where SSL helps improve your user’s experience which may not seem immediately obvious. The benefit that most people are aware of is that SSL can prevent your user’s sensitive information from being leaked or intercepted through encryption, which helps prevent identity theft and account compromise, among other things. But did you know SSL also prevents content injection? Such as an ISP or Hotspot placing extra cookies or ads onto a site, which ensures a better user experience. Man in the middle attacks or spoofing are also prevented because other servers are not able to reproduce your SSL certificate, which makes active network attacks significantly more difficult.
Every website is capable of obtaining an SSL certificate, and SSL is the only widely deployed option for in-transit encryption between clients and servers. In the last 3-4 years the proliferation of Internet monitoring/surveillance, hacking and phishing attacks, and ISP content injection and tampering have led to a major increase in the use of SSL. All indications are that HTTPS will overtake HTTP within a few short years.
Studies have shown that information that seems irrelevant or unimportant can actually be used to identify a user, especially in aggregate. This is the type of information that is available to ISPs or Governments. You don’t know who is using your site, why they are using your site, or what else they may be doing on other sites. By providing HTTPS you help keep them protected when they are using other websites, as well as your own, creating a more secure Web.
So now that we know the basics of SSL, we can take a look at implementation. SSL has been around for more than 20 years, and is widely supported by all browsers and devices – heck even our office printer supports SSL. SSL certificates are available from dozens of CAs, including global IT/Security leaders like Symantec. So adding SSL support to your site is not a question of if, but when.
As mentioned earlier, SSL has two components: the protocol, and certificates. First thing you will need to do is find a certificate that matches your needs – there are variations in authentication and functionality which we will discuss in a later article. Once you have a certificate you need to configure and install it, and turn the protocol on. Even if you have never done this before, don’t worry, if you are comfortable with your server’s OS it shouldn’t take more than 30 minutes to get a basic configuration completed.
Google recently held the 2015 Chrome Developer Summit, a conference focused on improvements in all web technologies. At the summit, one of Google’s engineers said SSL is the “baseline for 2016”, a sentiment we strongly agree with.
This isn’t just the position of one Google employee. Google, and many other industry leaders – including Mozilla, Microsoft, and standards bodies like the Internet Engineering Task Force-(IEFT) have been cementing the idea that the entire web needs to move to HTTPS. This has large implications for the future of security for the Web. So let’s take a look at how SSL can do more than just provide your site with rock-solid security.
HTTPS Everywhere and SSL as a Ranking Signal
You may have heard of the “HTTPS Everywhere” campaign supported by Google, the EFF, and many others. This is simply the idea that every page of a website should be using HTTPS to provide secure browsing to their visitors. Lots of industry leaders and Internet advocates want HTTPS to be more popular, and they all have good reasons for that. Companies like Google like HTTPs because it helps reduce the risk of data leakage and network hijacking or modification, which in turn will increase confidence on the Internet and lead to more overall Internet usage, which is obviously good for someone like Google. Advocates such as the EFF like HTTPS because it helps protect user’s data, and makes Internet spying harder. No matter who you are, you’re sure to find a reason to like and benefit from HTTPS. If you are a server admin or web developer, we have a couple of reasons that will make you LOVE SSL as well!
Google made headlines last year when they announced that using HTTPS would actually be a search ranking signal, meaning that supporting secure browsing will help your website’s rank on Google. That was one of the first big public steps Google made in support of HTTPSs. Since then, a lot has happened, so let’s talk about implementing SSL and its benefits.
Affordable and Effective
Financially, SSL is extremely accessible. Basic SSL certificates are cheaper than a yearly domain registration. So you don’t have to worry about SSL breaking your budget. The question we get more often, and the question that is harder to answer is: what’s the performance cost of SSL? The answer may surprise you.
Naturally, SSL has a performance impact. The “handshake” that takes place between a client and server to start any SSL connection involves sending certificate files to the client, and negotiating the exact encryption methods that will be used. Once established, there is additional memory and CPU requirements to encrypt/decrypt the information. But it’s actually possible to implement SSL and see a performance increase because you have to adopt SSL if you want to take advantage of one of the biggest advancements in web technology.
The Rise of HTTP/2
Earlier this year the IETF approved HTTP/2, which is the first new version of the HTTP protocol since 1997. HTTP/2 has tons of new features that help the modern web work faster and is now supported by the majority of popular web browsers. More importantly, Chrome, Firefox, Edge, Safari, and Opera will all require that you support SSL in order to use HTTP/2.
While only a few sites have started to use HTTP/2, we already have some great real world data showing the improvement. Akamai, one of the world’s largest CDNs, recently announced that they saw up to a 25% increase in performance when switching from plaintext HTTP to HTTP/2 with SSL. This is absolutely huge. You are actually able to add security to your site and while making it FASTER.
You can see this for yourself in your own browser. Open up http://httpvshttps.com to see a live comparison between plaintext HTTP and HTTP/2 with SSL.
Not only do you need to support SSL to use HTTP/2, but you will need SSL to use a set of browser features known as “powerful web features”. This includes full-screen mode, device orientation, geo-location, and more. These features provide great functionality to websites, but the data they have access to is so sensitive that browser developers don’t think it’s safe to provide them over plaintext HTTP.
Recently, large organizations like Netflix and Wikipedia have moved over to HTTPS, and some statistics are already showing that nearly 50% of web traffic is over HTTPs. As we get closer and closer to Internet-wide support, Google, Mozilla, and other browsers have plans to make the security risk of HTTP even clearer.
Trust Indicators and Security Warnings
Earlier, we talked about the “green padlock” and “green address bar”. These are User Interface (UI) features activated in the browser when SSL is used. But did you know that when unsecure HTTP is used, there are no warnings that data being transmitted is totally unprotected? Google has already commenced a multi-stage plan that will eventually result in a very prominent negative UI indicator for HTTP. When that happens, you’ll quickly know the official of HTTP has begun.
It has become very clear that 2016 will be the year of “HTTPS Everywhere” (also referred to as “Always on SSL”), so why not get ahead of the curve? HTTPS is incredibly important to the future of the web, and moving forward it will be a requirement for most new web technologies.
Hopefully this has been a helpful introduction to SSL. If you are a server admin looking to learn more about implementing SSL, Is TLS Fast Yet? is a great resource for you.